felschr/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(vpn): exclude LANs from tailscale subnet routing

Browse source
This commit is contained in:
Felix Schröter 2025-06-07 00:21:50 +02:00
parent 9b9e8d5ee6
commit 4ebc3d6664
Signed by: felschr
GPG key ID: 671E39E6744C807D
1 changed files with 34 additions and 7 deletions

41
system/vpn.nix
View file

@ -26,13 +26,40 @@ in
services.networkd-dispatcher = {
enable = true;
rules."50-tailscale" = {
onState = [ "routable" ];
script = ''
for dev in $(${pkgs.iproute2}/bin/ip route show 0/0 | cut -f5 -d' '); do
${lib.getExe pkgs.ethtool} -K "$dev" rx-udp-gro-forwarding on rx-gro-list off
done
'';
rules = {
# exclude LANs from tailscale subnet routes (when using `--accept-routes`)
"50-tailscale-exclude-lan-routes" = {
onState = [ "routable" ];
script = ''
#!${pkgs.runtimeShell}
# shellcheck disable=SC2010
lan_interfaces=$(ls /sys/class/net | grep -E '^(enp|eth|wlp)')
if [[ "$lan_interfaces" == "" ]]; then exit 0; fi
echo "$lan_interfaces" | while IFS= read -r lan_if; do
for ipv in 4 6; do
subnets=$(${pkgs.iproute2}/bin/ip -"$ipv" route show dev "$lan_if" proto kernel | cut -f1 -d' ' | grep '/')
if [[ "$subnets" == "" ]]; then break; fi
echo "$subnets" | while IFS= read -r subnet; do
if ${pkgs.iproute2}/bin/ip -"$ipv" route show table 52 | grep -q "$subnet dev tailscale0"; then
${pkgs.iproute2}/bin/ip -"$ipv" route del "$subnet" dev tailscale0 table 52
${pkgs.iproute2}/bin/ip -"$ipv" route add throw "$subnet" table 52
fi
done
done
done
'';
};
# UDP throughput improvements
# https://tailscale.com/kb/1320/performance-best-practices?q=gro#linux-optimizations-for-subnet-routers-and-exit-nodes
"50-tailscale-rx-udp-gro-forwarding" = {
onState = [ "routable" ];
script = ''
for dev in $(${pkgs.iproute2}/bin/ip route show 0/0 | cut -f5 -d' '); do
${lib.getExe pkgs.ethtool} -K "$dev" rx-udp-gro-forwarding on rx-gro-list off
done
'';
};
};
};